W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [kitten] [saag] HTTP authentication: the next generation

From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Sun, 12 Dec 2010 17:10:30 +0300
Message-ID: <4D04D7D6.4090105@isode.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
CC: Luke Howard <lukeh@padl.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "pgut001@cs.auckland.ac.nz" <pgut001@cs.auckland.ac.nz>, Yoav Nir <ynir@checkpoint.com>, websec <websec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "kitten@ietf.org" <kitten@ietf.org>, "http-auth@ietf.org" <http-auth@ietf.org>, "saag@ietf.org" <saag@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Yaron Sheffer wrote:

> Hi Luke,
>
> I am not a big fan of EAP myself (although I am a co-author on Yoav's 
> TLS-EAP), but no, for pragmatic reasons SASL is not the moral equivalent.
>
> There is a number of EAP methods that provide zero-knowledge password 
> based mutual authentication (i.e. password based auth that's *not* 
> susceptible to dictionary attacks). These include (see 
> http://www.iana.org/assignments/eap-numbers/eap-numbers.xml#eap-numbers-3): 
> EAP-SRP-SHA1, EAP-pwd, EAP-EKE and EAP-SPEKE.
>
> As far as I can see 
> (http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml), 
> SASL does not provide any equivalent method.

There is an expired SASL SRP draft, which can be revived, if needed.

> Thanks,
>     Yaron
>
> On 12/12/2010 03:38 AM, Luke Howard wrote:
>
>> On 12/12/2010, at 10:10 AM, Yoav Nir wrote:
>>
>>> On Dec 11, 2010, at 1:09 AM, Paul Hoffman wrote:
>>>
>>>> At 3:53 PM -0700 12/10/10, Peter Saint-Andre wrote:
>>>>
>>>>> Other than that, I'm not aware of much activity. What have I missed?
>>>>
>>>>
>>>> TLS client certificates.
>>>
>>>
>>> TLS client certificates work, but as we've learned both with the web 
>>> and with IPsec clients, people would much rather not use them. A few 
>>> IETFs ago (Chicago?), a bunch of us tried to push the idea of TLS 
>>> with EAP authentication.
>>>
>>> http://tools.ietf.org/html/draft-nir-tls-eap
>>
>>
>> Does draft-williams-tls-app-sasl-opt-04.txt + abfab get you the moral 
>> equivalent?
>>
>> -- Luke
>
Received on Sunday, 12 December 2010 14:11:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:34 GMT